The EU Digital Wallet – Fit for purpose or false optimism?

Adam Laub, GM, Stealthbits, a Netwrix Company, discusses the data security implications of the EU’s digital wallet that will give citizens a safe way to access public and private services online

The EU’s commitment to the unveiling of plans for a digital wallet has been touted as one of the key steps that will ensure the region is fit for post-COVID life. The digital wallet, which aims to give EU citizens a safe way to access public and private services online by linking their national identities digitally with proof of other citizen services, such as driving licences or bank accounts, could be in force by as early as September 2022. There’s even talk of a potential link to future decisions on a digital euro.

The plans have been hailed as a positive for businesses, but questions have been raised around privacy and security concerns. Can this promise of a digital utopia be too good to be true? And how will citizens, public sector bodies and private businesses alike, be able to trust a digital wallet to protect their most valuable data?

Eliminating common threats

Many would argue that no platform can be 100% secure, and it’s no surprise that scepticism abounds when the public sector promises a completely secure way to access all your personal data. Even if platform security is strong, recent research found that 1 in 4 government agencies reported accidental cloud data leakage in 2020.

Yet the digital wallet is offering a mechanism to increase an individual’s security posture overall, and mitigate the risk of their personal data being compromised – which is presumably a major step in the right direction. In a world where everyday citizens don’t or don’t know how to secure themselves, making security a feature of the products and services they leverage is both exemplary and necessary.

If this digital wallet gains momentum, it wouldn’t be a stretch to see significant adoption of the platform by countless other services as a means by which to pass credentials and verify identities. While the most popular form of security, passwords have always been a weak spot when it comes to protecting secure data.

As such, personal password vaults and multi-factor authentication have already proven their worth on their own. The EU’s Digital Wallet brings these capabilities to the masses. Stronger passwords that citizens don’t have to remember can drastically reduce highly effective threats associated with account compromise such as credential stuffing and password spraying. Unfortunately, password spray attacks are frequently successful because users often fail to follow password best practices. In fact, the 200 most common passwords leaked in data breaches in 2019 included obvious number combinations such as “12345”, common female first names, and the word “password” itself. Any attacker who targets a sufficiently large number of usernames and works with a large enough bank of common passwords is bound to be able to compromise some accounts. Just last month, 8.2 billion passwords were leaked online – what journalists branded “the mother of all password leaks”.

Easily enforcing and incorporating multiple factors of identity verification into all aspects of what citizens do online should also all but eliminate the most common methods of credential compromise attackers have come to rely upon.

Embracing privacy and security

Looking at the wider picture, a benefit of the EU’s Digital Wallet initiative is that it represents a clear demonstration of how Data Privacy and Data Security are really two sides of the same coin. Too many still see and treat security and privacy as two separate subjects, hampering the effectiveness of privacy programs and initiatives.

It is true that the two are clearly delineated. Data privacy is the practice of ensuring information is not accessed by unauthorized parties and that individuals retain control over their personally identifiable information (PII). Therefore, where data privacy is primarily concerned with the procedures and policies to govern and safeguard the privacy of PII and data, data security involves using physical and logical strategies to protect information from data breaches, cyberattacks, and accidental or intentional data loss.

The EU Digital Wallet will certainly concern PII, which stands out as highly sensitive information because of the civil and criminal liability faced if PII is improperly exposed. As a result, regardless of the jurisdiction in question, Data Privacy regulations ubiquitously require security controls be put in place to ensure the appropriate handling of personal data. This is an important distinction because this essentially means that while Data Security can be achieved without Data Privacy, Data Privacy cannot be achieved without Data Security. This acknowledgement is encouraging to see as the world relies on more and more digital provisions post-COVID.

Ultimately, while security and privacy concerns about the new EU Digital Wallet are not unfounded, the proposal is a leap in the right direction for an ecosystem that will be increasingly dependent on digital services. By eliminating the most common attack vectors through which cyber criminals operate, and understanding that data privacy will not succeed without security, we’re one step closer to a realistic digital future.